Annotation of embedaddon/trafshow/trafshow.1, revision 1.1.1.1
1.1 misho 1: .TH TRAFSHOW 1 "May 2004"
2: .SH NAME
3: trafshow - full screen show network traffic
4: .SH SYNOPSIS
5: .B trafshow
6: [\fB-vpnb\fP]
7: [\fB-a\fP \fIlen\fP]
8: [\fB-c\fP \fIconf\fP]
9: [\fB-i\fP \fIname\fP]
10: [\fB-s\fP \fIstr\fP]
11: [\fB-u\fP \fIport\fP]
12: [\fB-R\fP \fIrefresh\fP]
13: [\fB-P\fP \fIpurge\fP]
14: [\fB-F\fP \fIfile\fP | \fIexpr\fP]
15: .SH DESCRIPTION
16: .PP
17: .B TrafShow
18: is a simple interactive program that gather the \fBnetwork traffic\fP from
19: all libpcap-capable interfaces to accumulate it in memory cache, and then
20: separately display it on appropriated curses window in line-narrowed manner
21: as a list of network flows sorted by throughput. Display updates occurs
22: nearly in real time, asynchronously from the data collecting. It look like
23: a \fBlive show\fP of traffic flows. Any kind of network traffic are mixed
24: together in the one live-show screen, an Ethernet, IP, etc.
25: .br
26: \fBHint\fP: Please press `\fBH\fP' key inside a show to get brief help!
27: .PP
28: The IP traffic can be \fBaggregated\fP by netmask prefix bits and service
29: ports to reorganize a heap of trivial flows into the treelike hierarchies
30: suitable for human perception. The user can glance over the list of resulting
31: flows and select at their to browse detail. So you can deepen into the traffic
32: inheritance hierarchy and inspect the packets of each trivial flow in variety
33: of presentations: raw-hex, ascii, time-stamp.
34: .br
35: The program make aggregation automatically when number of flows will exceed
36: some reasonable amount. Just a few seconds after launch may be required for
37: adaptation to your volume of traffic.
38: Use \fB-a\fP \fIlen\fP option (see below) to overwrite the default behaviour.
39: .PP
40: .B TrafShow
41: also listens on UDP port (9995 by default) for diverse feeders of \fBCisco
42: Netflow\fP and then separately display the collected data in the same manner
43: as described above. The following versions of Netflow are currently supported:
44: V1, V5, V7.
45: Use \fB-u\fP \fIport\fP option (see below) to overwrite the default behaviour.
46: .PP
47: This program may be found wonderful at lest to locate suspicious traffic on
48: the net very quickly on demand, or to evaluate real time traffic bandwidth
49: utilization, in a simplest and convenient environment. But it is not intended
50: for collecting and analysis of the network traffic for a long period of time,
51: nor for billing!
52: .PP
53: The program pretend to be IPv6 compatible and ready to using, but it is not
54: tested enough. You can define INET6 to do so.
55: .SH OPTIONS
56: .TP
57: \fB-v\fP
58: Print detailed version information and exit.
59: .TP
60: \fB-p\fP
61: Do not put interface(s) into promiscuous mode.
62: .TP
63: \fB-n\fP
64: Do not convert numeric values to names (host addresses, port numbers, etc.).
65: The mode can be toggled On/Off during a show by pressing the `\fBN\fP' key.
66: .TP
67: \fB-b\fP
68: To place a backflow entries near to the main streams in the sorted list of
69: traffic flows.
70: .br
71: \fBNote\fP: this mode can raise the system load dangerously high because it
72: take a lot of CPU cycles!
73: .TP
74: \fB-a\fP \fIlen\fP
75: To aggregate traffic flows using IP netmask prefix \fIlen\fP. This option
76: also turn on service ports aggregation. The \fIlen\fP expected as number of
77: \fBbits\fP in the network portion of IP addresses (like CIDR).
78: The aggragation \fIlen\fP can be changed during a show by pressing the
79: `\fBA\fP' key, and turned Off by empty string.
80: .br
81: \fBHint\fP: Please use \fI0\fP to reduce output just for network services.
82: .TP
83: \fB-c\fP \fIconf\fP
84: Use alternate color \fIconfig file\fP instead of default \fI/etc/trafshow\fP.
85: .TP
86: \fB-i\fP \fIname\fP
87: Listen on the specified network interface \fIname\fP.
88: If unspecified, \fBTrafShow\fP collect data from \fIall\fP network interfaces,
89: configured \fBUP\fP in the system. In the last case the system must supply
90: enough number of packet capture devices (like /dev/bpf#).
91: .TP
92: \fB-s\fP \fIstr\fP
93: To search and follow for list \fBitem\fP matched by \fIstring\fP, moving the
94: cursor bar. The found \fBitem\fP try to stay highlighted. The mode can be
95: turned Off by `\fBCtrl\fP-\fB/\fP' key press or [re]entered again by `\fB/\fP'
96: key directly in the live show.
97: .TP
98: \fB-u\fP \fIport\fP
99: Listen on the specified UDP \fIport\fP number for the \fBCisco Netflow\fP feed.
100: The default port number is \fI9995\fP.
101: .br
102: \fBHint\fP: Please use \fI0\fP to disable this functionality.
103: .TP
104: \fB-R\fP \fIrefresh\fP
105: Set the \fBrefresh period\fP of data show to \fIseconds\fP, \fI2\fP seconds by
106: default. This option can be changed during a show by pressing the `\fBR\fP' key.
107: .TP
108: \fB-P\fP \fIpurge\fP
109: Set the expired data \fBpurge period\fP to \fIseconds\fP, \fI10\fP seconds by
110: default. This option can be changed during a show by pressing the `\fBP\fP' key.
111: .TP
112: \fB-F\fP \fIfile\fP
113: Use \fIfile\fP as input for the \fBfilter expression\fP.
114: .TP
115: \fIexpr\fP
116: Select which packets will be displayed. If no \fIexpression\fP is given,
117: all packets on the net will be displayed. Otherwise, only packets for
118: which \fIexpression\fP is `true' will be displayed.
119: .br
120: The \fBfilter expression\fP can be changed during a show by pressing the
121: `\fBF\fP' key, and turned Off by empty string.
122: .br
123: Please see \fBtcpdump\fP(1) man page for syntax of \fBfilter expression\fP.
124: .SH FILES
125: .TP
126: .I /etc/trafshow
127: The default colors configuration file if any.
128: .TP
129: .I $HOME/.trafshow
130: The personal file with the user defined colors.
131: .SH COLORS
132: .PP
133: If \fBTrafShow\fP has been compiled with modern curses libraries such as
134: \fBSlang\fP or \fBNcurses\fP it been able to show colored traffic on the
135: color-capable terminal. Hopefully, no special actions required to install
136: them because your system has it by default (leastwise last years).
137: .PP
138: The syntax of \fBTrafShow\fP color configuration file as follow:
139: .TP
140: \fIdefault\fP \fIfcolor\fP\fB:\fP\fIbcolor\fP
141: Set the default screen background color-pair
142: .TP
143: \fIport\fP[\fB/\fP\fIproto\fP] \fIfcolor\fP\fB:\fP\fIbcolor\fP
144: Set color pattern by service port
145: .TP
146: [\fIproto\fP] \fIsrc\fP[\fB/\fP\fImask\fP][\fB,\fP\fIport\fP] \fIdst\fP[\fB/\fP\fImask\fP][\fB,\fP\fIport\fP] \fIfcolor\fP\fB:\fP\fIbcolor\fP
147: Set color pattern by pair of source and destination addresses
148: .PP
149: The tokens \fI*\fP, \fIany\fP, or \fIall\fP matchs \fBANY\fP in the pattern.
150: Where \fIfcolor\fP is foreground color and \fIbcolor\fP is background color.
151: .br
152: The fcolor and bcolor may be one of the following:
153: .TP
154: .I black red green yellow blue magenta cyan white
155: It posible to indicate color as number from 0 to 7.
156: .PP
157: The upper-case \fIF\fPcolor mean \fBbright on\fP.
158: The upper-case \fIB\fPcolor mean \fBblink on\fP.
159: .SH SEE ALSO
160: pcap(3), tcpdump(1), bpf(4)
161: .SH ACKNOWLEDGEMENTS
162: Thanks to Van Jacobson <van(at)helios.ee.lbl.gov> and
163: Steven McCanne <mccanne(at)helios.ee.lbl.gov>,
164: all of Lawrence Berkeley Laboratory,
165: University of California, Berkeley.
166: Special thank to Jun-ichiro itojun Hagino <itojun(at)iijlab.net> for IPv6
167: patches.
168: .SH AUTHOR
169: Vladimir Vorobyev <bob(at)turbo.nsk.su>.
170: .SH BUGS
171: Depending of traffic volume, \fBTrafShow\fP can take a lot of CPU cycles and
172: memory.
173: .br
174: It is impossible to use packet matching \fBexpressions\fP in the NetFlow mode.
175:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to trafshow.1 CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / trafshow